Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Fake LinkedIn Job Offer Delivers More_eggs Backdoor

The Threat Response Unit (TRU) at eSentire, a Waterloo, Ontario-based cybersecurity firm, has discovered an ongoing fake jobs spear-phishing scam that is infecting the computer systems of LinkedIn users with the dangerous and nasty More_eggs backdoor. Currently, attackers are posing as staffing companies to send compromised and malicious website links to job seekers via LinkedIn messages, and later followed up via emails. The aim is to infect victims’ devices with the More_eggs backdoor to steal data. According to eSentire’s blog post, threat actors are using zip files to target victims based on the job description on their LinkedIn profile. For example, if a LinkedIn member’s job is listed as Senior Account Executive-International Freight, a malicious zip file titled Senior Account Executive-International Freight position would be delivered to the user. If the zip file is opened on a Microsoft Windows device, the victim’s device gets infected with the More_eggs backdoor. Upon infection, the malware takes complete control of a targeted system allowing the attackers to remotely use the system for malicious purposes. With this malware, attackers can also drop ransomware onto a system to encrypt the system and if available, spread it across an organization’s network. With this malware targeting LinkedIn users, this could be a treasure trove for attackers as their intended victims are generally with some sort of professional organization.

Analyst Notes

First and foremost, refrain from clicking on links sent by people on social media, especially from unknown and anonymous users. If you are being asked to click on a zip file, script file, or executable file, you should avoid doing so and report the incident to your company’s IT security department for a follow-up investigation. If you have already downloaded a file, be sure to scan it with a reliable anti-malware, but be aware that most targeted malware campaigns deliver files that are not detected by any anti-malware or anti-virus software for at least a day or two after the campaign starts, so even a seemingly safe file scan could be misleading. Files and links can also be scanned for malicious content on, but you should be aware that any files you submit to VirusTotal can be examined by security researchers, so it is not a good idea to submit any file containing sensitive personal or company proprietary information. It is also strongly recommended to learn about cybersecurity and threats that are prevalent the Internet.

Source article: